Google, Microsoft push fixes but others likely exposed

Cornell Tech researchers Vitaly Shmatikov and Martin Georgiev claim web URL shorteners are built on predictable syntax that can be searched and identified in a potential breach of privacy.

The academics studied URL shorteners – including those created by Google, Bit.ly and Microsoft – finding that attackers could find private documents and foist malware by enumerating pre-existing addresses with ease, and that well-resourced adversaries could find out existing URLs of all shortening services.

Google, whose Google Maps product has an embedded a tool that creates URLs with the goo.gl domain, and Microsoft, whose OneDrive also has an embedded shortener, have pushed fixes such that new shortened URL links are secure. However, old links remain vulnerable.

“Short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force,” Shmatikov says.

“Our scan discovered a large number of Microsoft OneDrive accounts with private documents.

“Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.”

The pair says in their Gone in Six Characters: Short URLs Considered Harmful for Cloud Services [PDF] that they found driving directions which could reveal a user's home address, their hospital, trips to prisons, and adult establishments.

Shortened URLS are a combination of domain names and a combination five- to seven-character token; it is this brevity that introduces the basic vulnerabilities.

“The tokens are so short that the entire set of URLs can be scanned by brute force,” Shmatikov says. “The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.”

The pair explained their methodology in full in the paper, noting that they had found 1.1 million publicly accessible OneDrive documents including documents and executables from a scan of 100 million.

Of these, seven per cent of OneDrives were exposed and open to writing.

Another random scan of Google-shortened URLs proffered 23,965,718 live links – of which 10 per cent contained driving directions to sensitive locations including disease, addiction and abortion clinics, jails and even strip clubs.

Shmatikov recommends: “Warn users that shortening a URL may expose the content behind the original URL to unintended third parties. Use your own resolver and tokens, not bit.ly. Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners. Finally, design better APIs so that leakage of a single URL does not compromise every shared URL in the account.” ®